OSPF over IPsec configuration
There are several steps to the OSPF-over-IPsec configuration:
- Configure a route-based IPsec VPN on an external interface. It will connect to a corresponding interface on the other FortiGate unit. Define the two tunnel-end addresses.
- Configure a static route to the other FortiGate unit.
- Configure the tunnel network as part of the OSPF network and define the virtual IPsec interface as an OSPF interface.
This section describes the configuration with only one VPN, tunnel_wan1. The other VPN is added in the section OSPF over IPsec configuration.
Configuring the IPsec VPN
A route-based VPN is required. In this chapter, preshared key authentication is shown. Certificate authentication is also possible. Both FortiGate units need this configuration.
To configure Phase 1
- Define the Phase 1 configuration needed to establish a secure connection with the other FortiGate unit. For more information, see Phase 1 parameters.
Enter these settings in particular:
Name | Enter a name to identify the VPN tunnel, tunnel_wan1 for example. This becomes the name of the virtual IPsec interface. |
Remote Gateway | Select Static IP Address. |
IP Address | Enter the IP address of the other FortiGate unit’s public (Port 2) interface. |
Local Interface | Select this FortiGate unit’s public (Port 2) interface. |
Mode | Select Main (ID Protection). |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. It must match the preshared key on the other FortiGate unit. |
Advanced | Select Advanced. |
To assign the tunnel end IP addresses
- Go to System > Network > Interfaces, select the virtual IPsec interface that you just created on Port 2 and select Edit.
- In the IP and Remote IP fields, enter the following tunnel end addresses:
FortiGate_1 | FortiGate_2 | |
IP | 10.1.1.1 | 10.1.1.2 |
Remote_IP | 10.1.1.2 | 10.1.1.1 |
These addresses are from a network that is not used for anything else.
To configure Phase 2
- Enter a name to identify this Phase 2 configuration, twan1_p2, for example.
- Select the name of the Phase 1 configuration that you defined in Step OSPF over IPsec configuration, tunnel_wan1 for example.
Configuring static routing
You need to define the route for traffic leaving the external interface.
- Go to Router > Static > Static Routes, select Create New.
For low-end FortiGate units, go to System > Network > Routing and select Create New.
- Enter the following information.
Destination IP/Mask | Leave as 0.0.0.0 0.0.0.0. |
Device | Select the external interface. |
Gateway | Enter the IP address of the next hop router. |
Configuring OSPF
This section does not attempt to explain OSPF router configuration. It focusses on the integration of the IPsec tunnel into the OSPF network. This is accomplished by assigning the tunnel as an OSPF interface, creating an OSPF route to the other FortiGate unit.
This configuration uses loopback interfaces to ease OSPF troubleshooting. The OSPF router ID is set to the loopback interface address.The loopback interface ensures the router is always up. Even though technically the router ID doesn’t have to match a valid IP address on the FortiGate unit, having an IP that matches the router ID makes troubleshooting a lot easier.
The two FortiGate units have slightly different configurations. FortiGate_1 is an AS border router that advertises its static default route. FortiGate_2 advertises its local LAN as an OSPF internal route.
Setting the router ID for each FortiGate unit to the lowest possible value is useful if you want the FortiGate units to be the designated router (DR) for their respective ASes. This is the router that broadcasts the updates for the AS.
Leaving the IP address on the OSPF interface at 0.0.0.0 indicates that all potential routes will be advertised, and it will not be limited to any specific subnet. For example if this IP address was 10.1.0.0, then only routes that match that subnet will be advertised through this interface in OSPF.
FortiGate_1 OSPF configuration
When configuring FortiGate_1 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.
With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.
To create the loopback interface
A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.1, you would enter:
config system interface
edit lback1
set vdom root
set ip 10.0.0.1 255.255.255.255
set type loopback
end
The loopback addresses and corresponding router IDs on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.
To configure OSPF area, networks, and interfaces - web-based manager
- On FortiGate_1, go to Router > Dynamic > OSPF.
For low end FortiGate units, you first need to enable Dynamic Routing by going to System > Admin > Settings. - Enter the following information to define the router, area, and interface information.
Router ID | Enter 10.0.0.1 . Select Apply before entering the remaining information. |
Advanced Options | |
Redistribute | Select the Connected and Static check boxes. Use their default metric values. |
Areas | Select Create New, enter the Area and Type and then select OK. |
Area | 0.0.0.0 |
Type | Regular |
Interfaces | Enter a name for the OSPF interface, ospf_wan1 for example. |
Name | |
Interface | Select the virtual IPsec interface, tunnel_wan1. |
IP | 0.0.0.0 |
- For Networks, select Create New.
- Enter the IP/Netmask of
10.1.1.0/255.255.255.0
and an Area of0.0.0.0
. - For Networks, select Create New.
- Enter the IP/Netmask of
10.0.0.1/255.255.255.0
and an Area of0.0.0.0
. - Select Apply.
To configure OSPF area and interfaces - CLI
Your loopback interface is 10.0.0.1, your tunnel ends are on the 10.1.1.0/24 network, and your virtual IPsec interface is named tunnel_wan1
. Enter the following CLI commands:
config router ospf
set router-id 10.0.0.1
config area
edit 0.0.0.0
end
config network
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.0.0.1 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set cost 10
set interface tunnel_wan1
set network-type point-to-point
end
config redistribute connected
set status enable
end
config redistribute static
set status enable
end
end
FortiGate_2 OSPF configuration
When configuring FortiGate_2 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.
Configuring FortiGate_2 differs from FortiGate_1 in that three interfaces are defined instead of two. The third interface is the local LAN that will be advertised into OSPF.
With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.
To create the loopback interface
A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.2, you would enter:
config system interface
edit lback1
set vdom root
set ip 10.0.0.2 255.255.255.255
set type loopback
end
The loopback addresses on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.
To configure OSPF area and interfaces - web-based manager
- On FortiGate_2, go to Router > Dynamic > OSPF.
For low end FortiGate units, you first need to enable Dynamic Routing by going to System > Admin > Settings. - Complete the following.
Router ID | 10.0.0.2 |
Areas | Select Create New, enter the Area and Type and then select OK. |
Area | 0.0.0.0
|
Type | Regular |
Interfaces | |
Name | Enter a name for the OSPF interface, ospf_wan1 for example. |
Interface | Select the virtual IPsec interface, tunnel_wan1. |
IP | 0.0.0.0
|
- For Networks, select Create New.
- Enter the following information for the loopback interface:
IP/Netmask | 10.0.0.2/255.255.255.255
|
Area | 0.0.0.0
|
- For Networks, select Create New.
- Enter the following information for the tunnel interface:
IP/Netmask | 10.1.1.0/255.255.255.255 |
Area | 0.0.0.0
|
- For Networks, select Create New.
- Enter the following information for the local LAN interface:
IP/Netmask | 10.31.101.0/255.255.255.255 |
Area | 0.0.0.0
|
- Select Apply.
To configure OSPF area and interfaces - CLI
If for example, your loopback interface is 10.0.0.2, your tunnel ends are on the 10.1.1.0/24 network, your local LAN is 10.31.101.0/24, and your virtual IPsec interface is named tunnel_wan1, you would enter:
config router ospf
set router-id 10.0.0.2
config area
edit 0.0.0.0
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.31.101.0 255.255.255.0
next
edit 2
set prefix 10.0.0.2 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set interface tunnel_wan1
set network-type point-to-point
end
end